# grafana

Dashboard UI. Cloud-side = central observability. Edge-side = plant-local SCADA.

- **Networks**: `app` (reachable from nginx-proxy) + `data` (queries influxdb)
- **Volume**: `grafana-data` (sqlite, plugins, sessions)
- **Config**: `./config/provisioning` (datasources + dashboards as code) — add once SQL/Influx are wired
- **Hostname**: `dash.wbd-rd.nl`

## Auth

Keycloak OIDC via Grafana's `generic_oauth` provider. All env-driven (see `cloud/.env.example`):

| Env var | Purpose |
|---|---|
| `GRAFANA_OAUTH_CLIENT_ID` / `_SECRET` | Keycloak `grafana` client credentials |
| `GF_AUTH_GENERIC_OAUTH_*` | Provider URLs + claim mapping (set inline in `compose.yml`) |

### Role mapping

`GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH` interprets the Keycloak `realm_access.roles` claim:

| Keycloak realm role | Grafana org role |
|---|---|
| `app-admin` *or* `grafana-admin` | Admin |
| `grafana-editor` | Editor |
| (none of the above) | Viewer |

So a fresh teammate added to the `wbd` realm lands as a Viewer. Grant them `app-admin` (or `grafana-editor`) in Keycloak to promote.

`GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP=true` auto-creates the Grafana user on first OIDC login.

## TODO

- Datasource provisioning (`./config/provisioning/datasources/` — Influx, postgres)
- Dashboard-as-code baseline (`./config/provisioning/dashboards/`)
- Plugin pin list